Remove unnecessary bypass_sign_in calls#8324
Conversation
changelog: Internal, Authentication, Remove unnecessary bypass_sign_in calls
|
Trying to understand the background here: The documentation also mentions this being "useful in cases where the user is already signed in, but we want to refresh the credentials in session.". Historically it looks like this was implemented following manipulation of the Warden session, which still technically happens, just indirectly through Overall, seems like a reasonable change, and the tests passing is at least some comfort in it not introducing any issues. |
mitchellhenke
force-pushed
the
mitchellhenke/remove-bypass-sign-in
branch
from
7d7e116 to
c5c793a
Compare
Yeah, my research into it led me to a similar place. We don't appear to be setting any keys that match the devise regex that would be deleted by the method, and the method only writes Example session: {"warden.user.user.key"=>[[8582], "b02db48eb5cd218bcc6afe453512ad5bd5e37575e89519a7f262bb4bea583982"],
"warden.user.user.session"=>
{"need_two_factor_authentication"=>false,
"unique_session_id"=>"K-SMJnzVtaZn7UqHkDRH",
"last_request_at"=>1683128971,
"auth_method"=>"remember_device",
"authn_at"=>Wed, 03 May 2023 12:49:31.000000000 -03 -03:00}} |
* LG-8948 Content changes only (#8312) * Content changes * fixing french translation * changelog: User-facing changes, In-person proofing, update translations and content in prep for location and prepare step swap * changelog: User-facing improvements, In-person proofing, update translations and content in prep for location and prepare step swap * Update spanish translation * Remove unnecessary bypass_sign_in calls (#8324) * Remove unnecessary bypass_sign_in calls changelog: Internal, Authentication, Remove unnecessary bypass_sign_in calls * add comment describing usage of bypass_sign_in * Ensure account deletion emails get sent even when emails are configured to send asynchronously (#8328) changelog: Bug Fixes, Emails, Ensure account deletion emails get sent even when emails are configured to send asynchronously * LG-9613 Update reporting CLI to allow monthly queries (#8318) Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> changelog: Internal, Update reporting options, Allows monthly authentication and IDV reports * LG-9294 Rate limit for 'Verify your ID' must include a link back to SP (#8291) * LG-9294 Rate limit for 'Verify your ID' must include a link back to SP Add link to throttled error page enabled rate limited user to link back to SP using defined failure to proof url changelog: User-Facing Improvements, Identity Verification, Rate limited user can link back to SP using defined failure to proof url * fix test for throttled failure to proof link * lint fix * fix rate limiting message for image upload controller * fix paragraph hierarchy * happy linting * happier linting. * fix single quote in spec * create new i18n key for exiting idv due to failure * update test to use idv.failure.exit.with_sp * add status bar and cond'l sp_name failure exit message * happy linting * fix i18n unused keys error * happy linting * fix current step in spec * check exit link without sp * exit message in 1 line * put exit msg in variable * refactor exit text * happy linting * refactor back to original link test to satisfy unused keys test --------- Co-authored-by: AmirReavis-Bey <amirreavis-bey@fcoh2j-wyp9w9mv.localdomain> * LG-9386: 508 Complaince, Move from using window to tab. (#8317) * changelog: User-Facing Improvements, 508 Issues, change language for default behavior to new tab instead of window * update tab * change name * update to new tab * fix erb lint * french translation * change to new tab * fix html * update spec * add spanish translation * LG-9297 Add Cancel Link (#8321) * Adding Cancel option to review-issues of doc capture * Adding test for not displaying sp option when reviewing errors * Adding spec for displaying sp troubleshooting option * Adding test for showSPOption to doc troubleshooting component changelog: User-Facing Improvements, Document Capture, Adding cancel to document capture error view * LG-9438 | Fix bug with IPP redirect (#8303) changelog: Internal, In-Person Proofing, Bugfix when verifying IPP data Co-authored-by: Tomas Apodaca <Thomas.Apodaca@gsa.gov> * test all review status in loop to avoid dupe code * LG-9107 Redirect old hybrid text link to new controller (#8325) * Redirect old hybrid text link to new controller When a user saves a text link, we want them to be directed to the new code path rather than a 404, even if the new path will tell them their session has expired. changelog: Internal, Code quality, redirect from old hybrid flow text link to new code * Remove FSM capture_doc tests that depend on old text link routes Disabled tests will be removed by the big delete PR along with the rest of the code * proofing_device_profiling enabled and disabled testing * redefine contexts * happy linting * Upgrade JS YAML package to resolve security advisory (#8331) changelog: Internal, Dependencies, Upgrade JS YAML package to resolve security advisory * Fix javascript tests using updated new_window/new_tab content (#8333) changelog: Bug Fixes, Testing, Fix tests using updated new_window/new_tab content --------- Co-authored-by: Jack Ryan <jackryan@navapbc.com> Co-authored-by: Mitchell Henke <mitchell.henke@gsa.gov> Co-authored-by: Davida (she/they) <davida.marion@gsa.gov> Co-authored-by: AmirReavis-Bey <amirreavis-bey@fcoh2j-wyp9w9mv.localdomain> Co-authored-by: Malick Diarra <malick.diarra@gsa.gov> Co-authored-by: Eric Gade <105373963+eric-gade@users.noreply.github.com> Co-authored-by: Matt Wagner <mattwagner@navapbc.com> Co-authored-by: Tomas Apodaca <Thomas.Apodaca@gsa.gov> Co-authored-by: Sonia Connolly <sonia.connolly@gsa.gov>
2 participants
🛠 Summary of changes
The calls to
bypass_sign_inremoved in this PR seem to be unnecessary and are at best confusing since we should be able to rely on Devise to handle assignment of the user resource. The one exception is when updating the password while already authenticated because a change in the password hash terminates existing sessions.